[openstack-dev] [glance][ironic][cinder][nova] 'tar' as an image disk_format

Daniel P. Berrange berrange at redhat.com
Tue Jan 26 09:11:07 UTC 2016


On Sun, Jan 24, 2016 at 12:00:16AM +0200, Duncan Thomas wrote:
> I guess my wisdom would be 'why'? What does this enable you to do that you
> couldn't do with similar ease with the formats we have and are people
> trying to do that frequently.
> 
> We've seen in cinder that image formats have a definite security surface to
> them, and with glance adding arbitrary conversion pipelines, that surface
> is going to increase with every format we add. This should mean we tend
> towards being increasingly conservative I think.

Safely extracting tar file contents to create a disk image to run the VM
from is particularly non-trivial. There have been many security flaws in
the past with apps doing tar file unpacking in this kind of scenario. For
example, Docker has had not one, but *three* vulnerabilities in this area
CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. So unless there is a
pretty compelling reason, I'd suggest we stay away from supporting tar
as an image format, and require traditional image formats where we we can
treat the file payload as an opaque blob and thus avoid all these file
processing risks.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list